White House raises stakes in cybersecurity debate

The White House on Thursday issued long-awaited legislative recommendations for fortifying U.S. computer networks in a proposal that notably omitted any talk of a “kill switch” for the Internet.

No previous administration had ever released legislative guidance on cybersecurity, which has become a pressing issue now that computer networks have become an essential part of most industries, including transportation and communication.

ADVERTISEMENT

Government and military officials have issued warnings for years about increasing attacks on U.S. networks from enemy states and criminal organizations. Experts are in wide agreement that the nation’s digital security laws are badly outdated and have failed to keep pace with technological change.

But attempts to deal with cybersecurity in Congress have been bogged down by accusations that the government wants to create a “kill switch” authority for the Web, to be used during emergencies.

The recent turmoil in Egypt and Tunisia heightened the “kill switch” fears, as the regimes in both countries succeeded in blacking out Internet access in an attempt to quell internal revolts.

A senior White House official said the president has sufficient authority to respond to a cyberattack and noted that the bill doesn’t ask for any expansion of those powers. In the past, the White House has pointed to a provision in the Communications Act passed after the 1941 attack on Pearl Harbor as the source of the president’s authority during cyber-emergencies.

Alan Paller, a research director at the SANS Institute, which specializes in cybersecurity, said “there isn’t anything at all that smacks of a kill switch” in the White House plan.

Lawmakers on both sides of the aisle have denounced giving any single entity authority to shut down the Web, and experts have noted the structure of the U.S. Internet would make it almost impossible to do so from a central location.

But the fear of the government’s ability to limit the public’s access to the Web remains a primary concern of free speech advocates and will be a closely watched issue as the debate unfolds.

Now that the White House has released a plan, Senate Democrats can finally move forward with cybersecurity legislation that has been on hold since last year.

Lawmakers had been waiting for the White House to weigh in on critical cybersecurity issues, including how the government should protect its networks and whether firms should have to notify consumers about cyberattacks that might have released their personal data.

“The Senate and the White House are on the same track to make sure our cyber networks are protected against an attack that could throw the nation into chaos,” said Senate Homeland Security Committee Chairman Joe Lieberman (I-Conn.), ranking member Susan Collins (R-Maine) and Sen. Tom Carper (D-Del.) in a joint statement.

“We both recognize that the government and the private sector must work together to secure our nation’s most critical infrastructure, for example, our energy, water, financial, telecommunications and transportation systems.”

The White House proposal also reflects the administration’s attempt to mend fences with the business community. Officials took great pains during the call Thursday to avoid casting the proposed requirements on private-sector firms as a regulatory mandate.

The recommendations call for industry to largely police itself on cybersecurity, with the administration threatening public shaming rather than fines or civil penalties for firms that fail to comply.

But officials suggested the Department of Homeland Security (DHS) would still have the authority to override standards and force firms to comply when national security is at risk.

Paller called the release a catalyst for the cybersecurity debate, which appeared to stall last year over a turf battle between the Senate Commerce and Homeland Security committees.

That dispute has been smoothed over, and Senate Democrats are likely to act in the near future, putting the ball in the court of House Republicans, who have struck an anti-regulatory stance in the majority.

House Homeland Security Committee Cybersecurity sub-panel Chairman Dan Lungren (R-Calif.) voiced some reservation about the administration’s proposal to require firms to submit to third-party audits to verify they meet the security standards.

“My concern is that the administration wants to establish yet another massive mandatory regulation regime and create a cottage industry of government-approved auditors,” Lungren said. “A government-driven auditing regime will stifle American innovation and not improve security.

“Industry needs to focus on creating jobs through better cyber technology, not be drowned in paperwork to satisfy auditors.”

One key issue the proposal leaves open is which firms should be deemed critical infrastructure and core critical infrastructure. Those determinations would be made by the secretary of Homeland Security in a process that would weigh a variety of factors that will be determined in consultation with industry and the public.

Those discussions would be heavily scrutinized, as firms deemed core-critical infrastructure would be subject to additional regulatory and oversight requirements.

The proposal includes a provision revamping the Federal Information Security Management Act (FISMA), which governs how the federal government protects its own networks. Under the White House plan, the Department of Homeland Security would deploy an active monitoring and defense program government-wide and get more authority to ensure agencies meet its security standards.

FISMA reform has been a topic of frequent concern in recent years; the current law is considered overly focused on paperwork and compliance rather than deterring attacks. The White House would expand DHS’s hiring authority to enable the agency to hire the best cybersecurity specialists directly, in a manner similar to the Pentagon and intelligence agencies.

Additionally, the White House proposal would require businesses to inform consumers when a hacker or criminal manages to breach their personal information. The firms would also be required to notify the government of certain data breaches.

A Justice Department official characterized the provision as an attempt to combine and clarify the current patchwork of individual state data breach laws.